jackrabbit-oak-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ang...@apache.org
Subject svn commit: r1481016 - in /jackrabbit/oak/trunk/oak-core/src: main/java/org/apache/jackrabbit/oak/security/authorization/ main/java/org/apache/jackrabbit/oak/spi/security/authorization/ main/java/org/apache/jackrabbit/oak/spi/security/authorization/res...
Date Fri, 10 May 2013 14:13:22 GMT
Author: angela
Date: Fri May 10 14:13:22 2013
New Revision: 1481016

URL: http://svn.apache.org/r1481016
Log:
OAK-50 : Implement User Management

Removed:
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/EffectivePolicyTest.java
Modified:
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
    jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
    jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/ACL.java
Fri May 10 14:13:22 2013
@@ -229,7 +229,7 @@ abstract class ACL extends AbstractAcces
         return true;
     }
 
-    // TODO
+    // TODO: OAK-814
     private boolean isRedundantOrExtending(ACE existing, ACE entry) {
         return existing.isAllow() == entry.isAllow()
                 && (!(existing.getPrincipal() instanceof Group) || entries.indexOf(existing)
== entries.size() - 1);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImpl.java
Fri May 10 14:13:22 2013
@@ -489,21 +489,20 @@ public class AccessControlManagerImpl im
     @CheckForNull
     private JackrabbitAccessControlList createACL(@Nullable String oakPath,
                                                   @Nonnull Tree accessControlledTree,
-                                                  boolean isReadOnly) throws RepositoryException
{
+                                                  boolean isEffectivePolicy) throws RepositoryException
{
         JackrabbitAccessControlList acl = null;
         String aclName = AccessControlUtils.getAclName(oakPath);
-        String mixinName = AccessControlUtils.getMixinName(oakPath);
-
         if (accessControlledTree.exists() && AccessControlUtils.isAccessControlled(oakPath,
accessControlledTree, ntMgr)) {
             Tree aclTree = accessControlledTree.getChild(aclName);
-            if (aclTree.exists()) {
+            // TODO: effective policies: add proper handling for modified ACLs
+            if (aclTree.exists() && (!isEffectivePolicy || aclTree.getStatus() !=
Tree.Status.NEW)) {
                 List<JackrabbitAccessControlEntry> entries = new ArrayList<JackrabbitAccessControlEntry>();
                 for (Tree child : aclTree.getChildren()) {
                     if (AccessControlUtils.isACE(child, ntMgr)) {
                         entries.add(createACE(oakPath, child, restrictionProvider));
                     }
                 }
-                if (isReadOnly) {
+                if (isEffectivePolicy) {
                     acl = new ImmutableACL(oakPath, entries, restrictionProvider, namePathMapper);
                 } else {
                     acl = new NodeACL(oakPath, entries);

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/AccessControlConfiguration.java
Fri May 10 14:13:22 2013
@@ -28,7 +28,7 @@ import org.apache.jackrabbit.oak.spi.sec
 import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
 
 /**
- * {@code AccessControlContextProvider}...
+ * Configuration for access control management and permission evaluation.
  */
 public interface AccessControlConfiguration extends SecurityConfiguration {
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/Restriction.java
Fri May 10 14:13:22 2013
@@ -22,13 +22,27 @@ import javax.jcr.Value;
 import org.apache.jackrabbit.oak.api.PropertyState;
 
 /**
- * Restriction... TODO
+ * A {@code Restriction} object represents a "live" restriction object that
+ * has been created using the Jackrabbit specific extensions of the
+ * {@link javax.jcr.security.AccessControlEntry AccessControlEntry} interface.
+ *
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#addEntry(java.security.Principal,
javax.jcr.security.Privilege[], boolean, java.util.Map)
  */
 public interface Restriction extends RestrictionDefinition {
 
+    /**
+     * The OAK property state associated with this restriction.
+     *
+     * @return An {@code PropertyState}.
+     */
     @Nonnull
     PropertyState getProperty();
 
+    /**
+     * The JCR value of this restriction object contained in {@link #getProperty()}.
+     *
+     * @return The JCR value of this restriction.
+     */
     @Nonnull
     Value getValue();
 }

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionDefinition.java
Fri May 10 14:13:22 2013
@@ -19,7 +19,21 @@ package org.apache.jackrabbit.oak.spi.se
 import javax.annotation.Nonnull;
 
 /**
- * RestrictionDefinition... TODO
+ * The {@code RestrictionDefinition} interface provides methods for
+ * discovering the static definition of any additional policy-internal refinements
+ * of the access control definitions. These restrictions are intended to be
+ * used wherever effects are too fine-grained to be exposed through privilege
+ * discovery or define a different restriction mechanism. A common case may be
+ * to provide finer-grained access restrictions to individual properties or
+ * child nodes of the node to which the policy applies e.g. by means of
+ * naming patterns or node type restrictions.
+ *
+ * Its subclass {@code Restriction} adds methods that are relevant only when
+ * a given restriction is "live" after being created and applied to a given
+ * policy.
+ *
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#getRestrictionNames()
+ * @see org.apache.jackrabbit.api.security.JackrabbitAccessControlList#getRestrictionType(String)
  */
 public interface RestrictionDefinition {
 

Modified: jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/main/java/org/apache/jackrabbit/oak/spi/security/authorization/restriction/RestrictionImpl.java
Fri May 10 14:13:22 2013
@@ -64,7 +64,7 @@ public class RestrictionImpl extends Res
         }
         if (o instanceof RestrictionImpl) {
             RestrictionImpl other = (RestrictionImpl) o;
-            return super.equals(other) && getValue().equals(other.getValue());
+            return super.equals(other) && property.equals(property);
         }
 
         return false;

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/ACLTest.java
Fri May 10 14:13:22 2013
@@ -417,7 +417,7 @@ public class ACLTest extends AbstractAcc
         assertFalse(acl.getEntries().get(0).isAllow());
     }
 
-    @Ignore("OAK-51") // TODO
+    @Ignore("OAK-814") // TODO
     @Test
     public void testUpdateGroupEntry() throws Exception {
         Privilege[] readPriv = privilegesFromNames(JCR_READ);
@@ -439,7 +439,7 @@ public class ACLTest extends AbstractAcc
         assertACE(princ2AllowEntry, true, privilegesFromNames(JCR_READ, JCR_WRITE));
     }
 
-    @Ignore("OAK-51") // TODO
+    @Ignore("OAK-814") // TODO
     @Test
     public void testComplementaryGroupEntry() throws Exception {
         Privilege[] readPriv = privilegesFromNames(JCR_READ);
@@ -466,7 +466,7 @@ public class ACLTest extends AbstractAcc
         assertACE(second, false, privilegesFromNames(JCR_READ, JCR_WRITE));
     }
 
-    @Ignore("OAK-51") // TODO
+    @Ignore("OAK-814") // TODO
     @Test
     public void testAllowWriteDenyRemoveGroupEntries() throws Exception {
         Principal everyone = principalManager.getEveryone();

Modified: jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
URL: http://svn.apache.org/viewvc/jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java?rev=1481016&r1=1481015&r2=1481016&view=diff
==============================================================================
--- jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
(original)
+++ jackrabbit/oak/trunk/oak-core/src/test/java/org/apache/jackrabbit/oak/security/authorization/AccessControlManagerImplTest.java
Fri May 10 14:13:22 2013
@@ -46,6 +46,7 @@ import com.google.common.collect.Immutab
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
 import org.apache.jackrabbit.JcrConstants;
+import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
 import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
 import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
@@ -58,6 +59,7 @@ import org.apache.jackrabbit.oak.namepat
 import org.apache.jackrabbit.oak.namepath.NamePathMapper;
 import org.apache.jackrabbit.oak.namepath.NamePathMapperImpl;
 import org.apache.jackrabbit.oak.plugins.name.Namespaces;
+import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
 import org.apache.jackrabbit.oak.plugins.value.ValueFactoryImpl;
 import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
 import org.apache.jackrabbit.oak.spi.security.authorization.AbstractAccessControlTest;
@@ -196,12 +198,13 @@ public class AccessControlManagerImplTes
     }
 
     @Nonnull
-    private ACL setupPolicy(@Nullable String path) throws RepositoryException {
+    private ACL setupPolicy(@Nullable String path, @Nullable Privilege... privileges) throws
RepositoryException {
+        Privilege[] privs = (privileges == null || privileges.length == 0) ? testPrivileges
: privileges;
         ACL policy = getApplicablePolicy(path);
         if (path == null) {
-            policy.addAccessControlEntry(testPrincipal, testPrivileges);
+            policy.addAccessControlEntry(testPrincipal, privs);
         } else {
-            policy.addEntry(testPrincipal, testPrivileges, true, getGlobRestriction("*"));
+            policy.addEntry(testPrincipal, privs, true, getGlobRestriction("*"));
         }
         acMgr.setPolicy(path, policy);
         return policy;
@@ -963,7 +966,38 @@ public class AccessControlManagerImplTes
     //---------------------------------------< getEffectivePolicies(String) >---
     @Test
     public void testGetEffectivePolicies() throws Exception {
-        // TODO
+        AccessControlPolicy[] policies = acMgr.getEffectivePolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
+
+        setupPolicy(testPath);
+        policies = acMgr.getEffectivePolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(0, policies.length);
+
+        root.commit();
+        policies = acMgr.getEffectivePolicies(testPath);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        policies = acMgr.getEffectivePolicies(childPath);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+
+        setupPolicy(childPath);
+
+        policies = acMgr.getEffectivePolicies(childPath);
+        assertNotNull(policies);
+        assertEquals(1, policies.length);
+
+        root.commit();
+
+        policies = acMgr.getEffectivePolicies(childPath);
+        assertNotNull(policies);
+        assertEquals(2, policies.length);
     }
 
     @Test
@@ -1012,6 +1046,77 @@ public class AccessControlManagerImplTes
         }
     }
 
+    /**
+     * @since OAK 1.0
+     */
+    @Test
+    public void testTestSessionGetEffectivePolicies() throws Exception {
+        // grant 'testUser' READ + READ_AC privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+        setupPolicy(testPath, privileges);
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        AccessControlManager testAcMgr = getTestAccessControlManager();
+
+        assertTrue(testAcMgr.hasPrivileges(testPath, privileges));
+
+        // diff to jr core: getEffectivePolicies will just return the policies
+        // accessible for the editing session but not throw an exception.
+        AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(testPath);
+        assertNotNull(effective);
+        assertEquals(1, effective.length);
+    }
+
+    /**
+     * @since OAK 1.0
+     */
+    @Test
+    public void testTestSessionGetEffectivePolicies2() throws Exception {
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ));
+        setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        AccessControlManager testAcMgr = getTestAccessControlManager();
+
+        assertTrue(testAcMgr.hasPrivileges(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ,
PrivilegeConstants.JCR_READ_ACCESS_CONTROL)));
+
+        // diff to jr core: getEffectivePolicies will just return the policies
+        // accessible for the editing session but not throw an exception.
+        AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(childPath);
+        assertNotNull(effective);
+        assertEquals(1, effective.length);
+    }
+
+    @Test
+    public void testTestSessionGetEffectivePoliciesWithoutPrivilege() throws Exception {
+        // grant 'testUser' READ + READ_AC privileges at 'path'
+        Privilege[] privileges = privilegesFromNames(PrivilegeConstants.JCR_READ);
+        setupPolicy(testPath, privileges);
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        AccessControlManager testAcMgr = getTestAccessControlManager();
+
+        List<String> paths = ImmutableList.of(testPath, NodeTypeConstants.NODE_TYPES_PATH);
+        for (String path : paths) {
+            assertFalse(testAcMgr.hasPrivileges(path, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL)));
+            try {
+                testAcMgr.getEffectivePolicies(path);
+                fail("READ_ACCESS_CONTROL is not granted at " + path);
+            } catch (AccessDeniedException e) {
+                // success
+            }
+        }
+    }
+
     //-----------------------------< setPolicy(String, AccessControlPolicy) >---
     @Test
     public void testSetPolicy() throws Exception {
@@ -1554,20 +1659,170 @@ public class AccessControlManagerImplTes
             assertNotNull(policies);
             assertEquals(0, policies.length);
         }
-    }
 
-    @Test
-    public void testGetEffectivePoliciesByPrincipal2() throws Exception {
         setupPolicy(testPath);
+        // changes not yet persisted -> no effecitve policies found for testprincipal
+        for (Set<Principal> principals : principalSets) {
+            AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+            assertNotNull(policies);
+            assertEquals(0, policies.length);
+        }
+
+        root.commit();
+        // after persisting changes -> the policy must be found
+        for (Set<Principal> principals : principalSets) {
+            AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+            assertNotNull(policies);
+            if (principals.contains(getTestPrincipal())) {
+                assertEquals(1, policies.length);
+            } else {
+                assertEquals(0, policies.length);
+            }
+        }
 
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+        setupPolicy(childPath);
         // changes not yet persisted -> no effecitve policies found for testprincipal
-        AccessControlPolicy[] policies = acMgr.getEffectivePolicies(ImmutableSet.of(testPrincipal));
-        assertNotNull(policies);
-        assertEquals(0, policies.length);
+        for (Set<Principal> principals : principalSets) {
+            AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+            assertNotNull(policies);
+            if (principals.contains(getTestPrincipal())) {
+                assertEquals(1, policies.length);
+            } else {
+                assertEquals(0, policies.length);
+            }
+        }
 
+        root.commit();
         // after persisting changes -> the policy must be found
+        for (Set<Principal> principals : principalSets) {
+            AccessControlPolicy[] policies = acMgr.getEffectivePolicies(principals);
+            assertNotNull(policies);
+            if (principals.contains(getTestPrincipal())) {
+                assertEquals(2, policies.length);
+            } else {
+                assertEquals(0, policies.length);
+            }
+        }
+
+    }
+
+    @Test
+    public void testTestSessionGetEffectivePoliciesByPrincipal() throws Exception {
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+        setupPolicy(testPath, privs);
+        setupPolicy(childPath, privs);
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+        AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+        assertNotNull(effective);
+        assertEquals(2, effective.length);
+    }
+
+    /**
+     * @since OAK 1.0 Policy at testPath not accessible -> getEffectivePolicies
+     * only returns the readable policy but doesn't fail.
+     */
+    @Test
+    public void testTestSessionGetEffectivePoliciesByPrincipal2() throws Exception {
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        // policy at testPath: ac content was visible but the policy can't be
+        // retrieved from AcMgr as the accesscontrolled node is not visible.
+        setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+        // policy at childPath: will be found by the getEffectivePolicies
+        setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+        AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+        assertNotNull(effective);
+        assertEquals(1, effective.length);
+    }
+
+    /**
+     * @since OAK 1.0 Policy at testPath not accessible -> getEffectivePolicies
+     * only returns the readable policy but doesn't fail.
+     */
+    @Test
+    public void testTestSessionGetEffectivePoliciesByPrincipal3() throws Exception {
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ));
+        setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
         root.commit();
-        policies = acMgr.getEffectivePolicies(ImmutableSet.of(testPrincipal));
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+        AccessControlPolicy[] effective = testAcMgr.getEffectivePolicies(Collections.singleton(getTestPrincipal()));
+        assertNotNull(effective);
+        assertEquals(1, effective.length);
+    }
+
+    @Test
+    public void testTestSessionGetEffectivePoliciesByPrincipals() throws Exception {
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+        setupPolicy(testPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+
+        JackrabbitAccessControlList acl = getApplicablePolicy(childPath);
+        acl.addEntry(EveryonePrincipal.getInstance(), privs, true);
+        acMgr.setPolicy(childPath, acl);
+
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+        Set<Principal> principals = ImmutableSet.of(getTestPrincipal(), EveryonePrincipal.getInstance());
+        AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals);
+        assertNotNull(policies);
+        assertEquals(2, policies.length);
+    }
+
+    /**
+     * @since OAK 1.0 : only accessible policies are returned by call succeeds
+     */
+    @Test
+    public void testTestSessionGetEffectivePoliciesByPrincipals2() throws Exception {
+        NodeUtil child = new NodeUtil(root.getTree(testPath)).addChild("child", JcrConstants.NT_UNSTRUCTURED);
+        String childPath = child.getTree().getPath();
+
+        Privilege[] privs = privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL);
+
+        // create policy on testPath -> but deny access to test session
+        JackrabbitAccessControlList acl = getApplicablePolicy(testPath);
+        acl.addEntry(getTestPrincipal(), privs, false);
+        acMgr.setPolicy(testPath, acl);
+
+        // grant access at childpath
+        setupPolicy(childPath, privilegesFromNames(PrivilegeConstants.JCR_READ, PrivilegeConstants.JCR_READ_ACCESS_CONTROL));
+        root.commit();
+
+        Root testRoot = getTestRoot();
+        testRoot.refresh();
+        JackrabbitAccessControlManager testAcMgr = getTestAccessControlManager();
+
+        Set<Principal> principals = ImmutableSet.of(getTestPrincipal(), EveryonePrincipal.getInstance());
+        AccessControlPolicy[] policies = testAcMgr.getEffectivePolicies(principals);
         assertNotNull(policies);
         assertEquals(1, policies.length);
     }



Mime
View raw message